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NEW QUESTION 1 
- (Topic 1) 
The type of discretionary access control (DAC) that is based on an individual's identity is also called: 


A. ldentity-based Access control 

B. Rule-based Access control 

C. Non-Discretionary Access Control 
D. Lattice-based Access control 


Answer: A 


Explanation: 

An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual's identity. 

DAC is good for low level security environment. The owner of the file decides who has access to the file. 

If a user creates a file, he is the owner of that file. An identifier for this user is placed in the file header and/or in an access control matrix within the operating 
system. 

Ownership might also be granted to a specific individual. For example, a manager for a certain department might be made the owner of the files and resources 
within her department. A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific 
resources. 

This model is called discretionary because the control of access is based on the discretion of the owner. Many times department managers, or business unit 
managers , are the owners of the data within their specific department. Being the owner, they can specify who should have access and who should not. 
Reference(s) used for this question: 

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 220). McGraw- Hill . Kindle Edition. 


NEW QUESTION 2 
- (Topic 1) 
Controlling access to information systems and associated networks is necessary for the preservation of their: 


A. Authenticity, confidentiality and availability 

B. Confidentiality, integrity, and availability. 

C. integrity and availability. 

D. authenticity,confidentiality, integrity and availability. 


Answer: B 


Explanation: 
Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity and availability. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 31. 


NEW QUESTION 3 

- (Topic 1) 

Which of the following is implemented through scripts or smart agents that replays the users multiple log-ins against authentication servers to verify a user's 
identity which permit access to system services? 


A. Single Sign-On 
B. Dynamic Sign-On 
C. Smart cards 

D. Kerberos 


Answer: A 


Explanation: 

SSO can be implemented by using scripts that replay the users multiple log- ins against authentication servers to verify a user's identity and to permit access to 
system services. 

Single Sign on was the best answer in this case because it would include Kerberos. When you have two good answers within the 4 choices presented you must 
select the 

BEST one. The high level choice is always the best. When one choice would include the 

other one that would be the best as well. 

Reference(s) used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 40. 


NEW QUESTION 4 
- (Topic 1) 
Which of the following is most affected by denial-of-service (DOS) attacks? 


A. Confidentiality 
B. Integrity 

C. Accountability 
D. Availability 
Answer: D 
Explanation: 


Denial of service attacks obviously affect availability of targeted systems. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the 
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 61). 


NEW QUESTION 5 
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- (Topic 1) 
What does the (star) property mean in the Bell-LaPadula model? 


A. No write up 
B. No read up 
C. No write down 
D. No read down 


Answer: C 


Explanation: 

The (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower 
level of sensitivity is not permitted (no write down). 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: 
Security Architectures and Models (page 202). 

Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 242, 
243). 


NEW QUESTION 6 
- (Topic 1) 
Which of the following centralized access control mechanisms is the least appropriate for mobile workers accessing the corporate network over analog lines? 


A. TACACS 
B. Call-back 
C. CHAP 

D. RADIUS 


Answer: B 


Explanation: 

Call-back allows for a distant user connecting into a system to be called back at a number already listed in a database of trusted users. The disadvantage of this 
system is that the user must be at a fixed location whose phone number is known to the authentication server. Being mobile workers, users are accessing the 
system from multiple 

locations, making call-back inappropriate for them. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: 
Access control systems (page 44). 


NEW QUESTION 7 
- (Topic 1) 
Rule-Based Access Control (RUBAC) access is determined by rules. Such rules would fit within what category of access control ? 


A. Discretionary Access Control (DAC) 

B. Mandatory Access control (MAC) 

C. Non-Discretionary Access Control (NDAC) 
D. Lattice-based Access control 


Answer: C 


Explanation: 

Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those 
rules will be, the rules are uniformly applied to ALL of the users or subjects. 

In general, all access control policies other than DAC are grouped in the category of non- discretionary access control (NDAC). As the name implies, policies in 
this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but 
only through administrative action. 

Both Role Based Access Control (RBAC) and Rule Based Access Control (RUBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC 
then it is most likely NDAC. 

IT IS NOT ALWAYS BLACK OR WHITE 

The different access control models are not totally exclusive of each others. MAC is making use of Rules to be implemented. However with MAC you have 
requirements above and beyond having simple access rules. The subject would get formal approval from management, the subject must have the proper security 
clearance, objects must have labels/sensitivity levels attached to them, subjects must have the proper security clearance. If all of this is in place then you have 
MAC. 

BELOW YOU HAVE A DESCRIPTION OF THE DIFFERENT CATEGORIES: 

MAC = Mandatory Access Control 

Under a mandatory access control environment, the system or security administrator will define what permissions subjects have on objects. The administrator does 
not dictate user??s access but simply configure the proper level of access as dictated by the Data Owner. 

The MAC system will look at the Security Clearance of the subject and compare it with the object sensitivity level or classification level. This is what is called the 
dominance relationship. 

The subject must DOMINATE the object sensitivity level. Which means that the subject must have a security clearance equal or higher than the object he is 
attempting to access. 

MAC also introduce the concept of labels. Every objects will have a label attached to them indicating the classification of the object as well as categories that are 
used to impose the need to know (NTK) principle. Even thou a user has a security clearance of Secret it does not mean he would be able to access any Secret 
documents within the system. He would be allowed to access only Secret document for which he has a Need To Know, formal approval, and object where the user 
belong to one of the categories attached to the object. 

If there is no clearance and no labels then IT IS NOT Mandatory Access Control. 

Many of the other models can mimic MAC but none of them have labels and a dominance relationship so they are NOT in the MAC category. 

NISTR-7316 Says: 

Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the 
Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the ??simple security rule,?? or ??no read up.?? Conversely, 
a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the ??*-property?? 
(pronounced ??star property??) or ??no write down.?? The *- property is required to maintain system security in an automated environment. A variation on this 
rule called the ??strict *-property?? requires that information can be written at, but not above, the subject??s clearance level. Multilevel security models such as 
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the Bell-La Padula Confidentiality and Biba Integrity models are used to formally specify this kind of MAC policy. 

DAC = Discretionary Access Control 

DAC is also known as: Identity Based access control system. 

The owner of an object is define as the person who created the object. As such the owner has the discretion to grant access to other users on the network. Access 
will be granted based solely on the identity of those users. 

Such system is good for low level of security. One of the major problem is the fact that a user who has access to someone's else file can further share the file with 
other users without the knowledge or permission of the owner of the file. Very quickly this could become the wild wild west as there is no control on the 
dissimination of the information. 

RBAC = Role Based Access Control 

RBAC is a form of Non-Discretionary access control. 

Role Based access control usually maps directly with the different types of jobs performed by employees within a company. 

For example there might be 5 security administrator within your company. Instead of creating each of their profile one by one, you would simply create a role and 
assign the administrators to the role. Once an administrator has been assigned to a role, he will IMPLICITLY inherit the permissions of that role. 

RBAC is great tool for environment where there is a a large rotation of employees on a daily basis such as a very large help desk for example. 

RBAC or RuBAC = Rule Based Access Control RuBAC is a form of Non-Discretionary access control. 

A good example of a Rule Based access control device would be a Firewall. A single set of rules is imposed to all users attempting to connect through the firewall. 
NOTE FROM CLEMENT: 

Lot of people tend to confuse MAC and Rule Based Access Control. 

Mandatory Access Control must make use of LABELS. If there is only rules and no label, it cannot be Mandatory Access Control. This is why they call it Non 
Discretionary Access control (NDAC). 

There are even books out there that are WRONG on this subject. Books are sometimes opiniated and not strictly based on facts. 

In MAC subjects must have clearance to access sensitive objects. Objects have labels that contain the classification to indicate the sensitivity of the object and the 
label also has categories to enforce the need to know. 

Today the best example of rule based access control would be a firewall. All rules are imposed globally to any user attempting to connect through the device. This 
is NOT the case with MAC. 

| strongly recommend you read carefully the following document: 

NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-731 6.pdf 

It is one of the best Access Control Study document to prepare for the exam. Usually | tell people not to worry about the hundreds of NIST documents and other 
reference. This document is an exception. Take some time to read it. 

Reference(s) used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33. 

and 

NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf and 

Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Locations 651-652). Elsevier Science (reference). Kindle Edition. 


NEW QUESTION 8 
- (Topic 1) 
Which of the following questions is less likely to help in assessing identification and authentication controls? 


A. Is a current list maintained and approved of authorized users and their access? 
B. Are passwords changed at least every ninety days or earlier if needed? 

C. Are inactive user identifications disabled after a specified period of time? 

D. Is there a process for reporting incidents? 


Answer: D 


Explanation: 

Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system. Access control 
usually requires that the system be able to identify and differentiate among users. Reporting incidents is more related to incident response capability (operational 
control) than to identification and authentication (technical control). 

Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self- Assessment Guide for Information Technology Systems, November 2001 (Pages 
A-30 to A-32). 


NEW QUESTION 9 
- (Topic 1) 
What is the most critical characteristic of a biometric identifying system? 


A. Perceived intrusiveness 
B. Storage requirements 
C. Accuracy 

D. Scalability 


Answer: C 


Explanation: 

Accuracy is the most critical characteristic of a biometric identifying verification system. 

Accuracy is measured in terms of false rejection rate (FRR, or type | errors) and false acceptance rate (FAR or type II errors). 

The Crossover Error Rate (CER) is the point at which the FRR equals the FAR and has become the most important measure of biometric system accuracy. 
Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric 
Identification (page 9). 


NEW QUESTION 10 
- (Topic 1) 
The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following? 


A. clipping level 
B. acceptance level 
C. forgiveness level 
D. logging level 
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Answer: A 


Explanation: 

The correct answer is "clipping level". This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. 
That action may be to log the activity, lock a user account, temporarily close a port, etc. 

Example: The most classic example of a clipping level is failed login attempts. If you have a system configured to lock a user's account after three failed login 
attemts, that is the "clipping level”. 

The other answers are not correct because: 

Acceptance level, forgiveness level, and logging level are nonsensical terms that do not exist (to my knowledge) within network security. 

Reference: 

Official ISC2 Guide - The term "clipping level” is not in the glossary or index of that book. | cannot find it in the text either. However, I'm quite certain that it would 
be considered part of the CBK, despite its exclusion from the Official Guide. 

Allin One Third Edition page: 136 - 137 


NEW QUESTION 10 
- (Topic 1) 
In discretionary access environments, which of the following entities is authorized to grant information access to other people? 


A. Manager 

B. Group Leader 

C. Security Manager 
D. Data Owner 


Answer: D 


Explanation: 

In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability 
to set permissions for that file. 

The following answers are incorrect: 

manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other 
people. 

group leader. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other 
people. 

security manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to 
other people. 

IMPORTANT NOTE: 

The term Data Owner is also used within Classifications as well. Under the subject of classification the Data Owner is a person from management who has been 
entrusted with a data set that belongs to the company. For example it could be the Chief Financial Officer (CFO) who is entrusted with all of the financial data for a 
company. As such the CFO would determine the classification of the financial data and who can access as well. The Data Owner would then tell the Data 
Custodian (a technical person) what the classification and need to know is on the specific set of data. 

The term Data Owner under DAC simply means whoever created the file and as the creator of the file the owner has full access and can grant access to other 
subjects based 

on their identity. 


NEW QUESTION 13 
- (Topic 1) 
Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector? 


A. Using a TACACS+ server. 

B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall. 
C. Setting modem ring count to at least 5. 

D. Only attaching modems to non-networked hosts. 


Answer: B 


Explanation: 

Containing the dial-up problem is conceptually easy: by installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the 
firewall, any access to internal resources through the RAS can be filtered as would any other connection coming from the Internet. 

The use of a TACACS+ Server by itself cannot eliminate hacking. 

Setting a modem ring count to 5 may help in defeating war-dialing hackers who look for modem by dialing long series of numbers. 

Attaching modems only to non-networked hosts is not practical and would not prevent these hosts from being hacked. 

Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 2: Hackers. 


NEW QUESTION 18 
- (Topic 1) 
The control measures that are intended to reveal the violations of security policy using software and hardware are associated with: 


A. Preventive/physical 

B. Detective/technical 

C. Detective/physical 

D. Detective/administrative 


Answer: B 
Explanation: 
The detective/technical control measures are intended to reveal the violations of security policy using technical means. 


Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the 
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35. 
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NEW QUESTION 23 
- (Topic 1) 
Which of the following describes the major disadvantage of many Single Sign-On (SSO) implementations? 


A. Once an individual obtains access to the system through the initial log-on, they have access to all resources within the environment that the account has access 
to. 

B. The initial logon process is cumbersome to discourage potential intruders. 

C. Once a user obtains access to the system through the initial log-on, they only need to logon to some applications. 

D. Once a user obtains access to the system through the initial log-on, he has to logout from all other systems 


Answer: A 


Explanation: 

Single Sign-On is a distrubuted Access Control methodology where an individual only has to authenticate once and would have access to all primary and 
secondary network domains. The individual would not be required to re-authenticate when they needed additional resources. The security issue that this creates is 
if a fraudster is able to compromise those credential they too would have access to all the resources that account has access to. 

All the other answers are incorrect as they are distractors. 


NEW QUESTION 27 
- (Topic 1) 
Which of the following would assist the most in Host Based intrusion detection? 


A. audit trails. 

B. access control lists. 

C. security clearances. 

D. host-based authentication. 


Answer: A 


Explanation: 

To assist in Intrusion Detection you would review audit logs for access violations. 

The following answers are incorrect: 

access control lists. This is incorrect because access control lists determine who has access to what but do not detect intrusions. 

security clearances. This is incorrect because security clearances determine who has access to what but do not detect intrusions. 

host-based authentication. This is incorrect because host-based authentication determine who have been authenticated to the system but do not dectect 
intrusions. 


NEW QUESTION 32 
- (Topic 1) 
What is called a password that is the same for each log-on session? 


A. "one-time password" 
B. "two-time password" 
C. static password 

D. dynamic password 


Answer: C 


Explanation: 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. 


NEW QUESTION 34 
- (Topic 1) 
Which security model is based on the military classification of data and people with clearances? 


A. Brewer-Nash model 
B. Clark-Wilson model 
C. Bell-LaPadula model 
D. Biba model 


Answer: C 


Explanation: 

The Bell-LaPadula model is a confidentiality model for information security based on the military classification of data, on people with clearances and data with a 
classification or sensitivity model. The Biba, Clark-Wilson and Brewer-Nash models are concerned with integrity. 

Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002. 


NEW QUESTION 39 

- (Topic 1) 

Which of the following is not a physical control for physical security? 
A. lighting 

B. fences 

C. training 

D. facility construction materials 


Answer: C 


Passing Certification Exams Made Easy visit - https:/www.surepassexam.com 


Ke Exam | Recommend!! Get the Full SSCP dumps in VCE and PDF From SurePassExam 
[yj Sure Pass https:/AWwww.surepassexam.com/SSCP-exam-dumps.html (1074 New Questions) 


Explanation: 

Some physical controls include fences, lights, locks, and facility construction materials. Some administrative controls include facility selection and construction, 
facility management, personnel controls, training, and emergency response and procedures. 

From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 3rd. Ed., Chapter 6, page 403. 


NEW QUESTION 44 

- (Topic 1) 

Pin, Password, Passphrases, Tokens, smart cards, and biometric devices are all items that can be used for Authentication. When one of these item listed above in 
conjunction with a second factor to validate authentication, it provides robust authentication of the individual by practicing which of the following? 


A. Multi-party authentication 
B. Two-factor authentication 
C. Mandatory authentication 
D. Discretionary authentication 


Answer: B 


Explanation: 

Once an identity is established it must be authenticated. There exist numerous technologies and implementation of authentication methods however they almost 
all fall under three major areas. 

There are three fundamental types of authentication: Authentication by knowledge??something a person knows 

Authentication by possession? ?something a person has 

Authentication by characteristic??something a person is Logical controls related to these types are called ??factors.?? 

Something you know can be a password or PIN, something you have can be a token fob or smart card, and something you are is usually some form of biometrics. 
Single-factor authentication is the employment of one of these factors, two-factor authentication is using two of the three factors, and three-factor authentication is 
the combination of all three factors. 

The general term for the use of more than one factor during authentication is multifactor authentication or strong authentication. 

Reference(s) used for this question: 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 2367-2379). Auerbach 
Publications. Kindle Edition. 


NEW QUESTION 46 
- (Topic 1) 
The end result of implementing the principle of least privilege means which of the following? 


A. Users would get access to only the info for which they have a need to know 
B. Users can access all systems. 

C. Users get new privileges added when they change positions. 

D. Authorization creep. 


Answer: A 


Explanation: 

The principle of least privilege refers to allowing users to have only the access they need and not anything more. Thus, certain users may have no need to access 
any of the files on specific systems. 

The following answers are incorrect: 

Users can access all systems. Although the principle of least privilege limits what access and systems users have authorization to, not all users would have a need 
to know to access all of the systems. The best answer is still Users would get access to only the info for which they have a need to know as some of the users may 
not have a need to access a system. 

Users get new privileges when they change positions. Although true that a user may indeed require new privileges, this is not a given fact and in actuality a user 
may require less privileges for a new position. The principle of least privilege would require that the rights required for the position be closely evaluated and where 
possible rights revoked. 

Authorization creep. Authorization creep occurs when users are given additional rights with new positions and responsibilities. The principle of least privilege 
should actually prevent authorization creep. 

The following reference(s) were/was used to create this question: ISC2 OIG 2007 p.101,123 

Shon Harris AlO v3 p148, 902-903 


NEW QUESTION 47 
- (Topic 1) 
RADIUS incorporates which of the following services? 


A. Authentication server and PIN codes. 

B. Authentication of clients and static passwords generation. 

C. Authentication of clients and dynamic passwords generation. 

D. Authentication server as well as support for Static and Dynamic passwords. 


Answer: D 


Explanation: 

A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to 

designated RADIUS servers, and then acting on the response which is returned. 

RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the 
client to deliver service to the user. 

RADIUS authentication is based on provisions of simple username/password credentials. 

These credentials are encrypted 

by the client using a shared secret between the client and the RADIUS server. OIG 2007, Page 513 

RADIUS incorporates an authentication server and can make uses of both dynamic and static passwords. 

Since it uses the PAP and CHAP protocols, it also incluses static passwords. 

RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and configuration information between a Network Access Server and a shared 
Authentication Server. RADIUS features and functions are described primarily in the IETF (International Engineering Task Force) document RFC2138. 
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The term " RADIUS" is an acronym which stands for Remote Authentication Dial In User Service. 

The main advantage to using a RADIUS approach to authentication is that it can provide a stronger form of authentication. RADIUS is capable of using a strong, 
two-factor form of authentication, in which users need to possess both a user ID and a hardware or software token to gain access. 

Token-based schemes use dynamic passwords. Every minute or so, the token generates a unique 4-, 6- or 8-digit access number that is synchronized with the 
security server. To gain entry into the system, the user must generate both this one-time number and provide his or her user ID and password. 

Although protocols such as RADIUS cannot protect against theft of an authenticated session via some realtime attacks, such as wiretapping, using unique, 
unpredictable authentication requests can protect against a wide range of active attacks. 

RADIUS: Key Features and Benefits Features Benefits 

RADIUS supports dynamic passwords and challenge/response passwords. Improved system security due to the fact that passwords are not static. 

It is much more difficult for a bogus host to spoof users into giving up their passwords or password-generation algorithms. 

RADIUS allows the user to have a single user ID and password for all computers in a network. 

Improved usability due to the fact that the user has to remember only one login combination. 

RADIUS is able to: 

Prevent RADIUS users from logging in via login (or ftp). Require them to log in via login (or ftp) 

Require them to login to a specific network access server (NAS); Control access by time of day. 

Provides very granular control over the types of logins allowed, on a per-user basis. The time-out interval for failing over from an unresponsive primary RADIUS 
server toa 

backup RADIUS server is site-configurable. 

RADIUS gives System Administrator more flexibility in managing which users can login from which hosts or devices. 

Stratus Technology Product Brief http:/Awww.stratus.com/products/vos/openvos/radius.htm 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 43, 
44. 

Also check: MILLER, Lawrence & GREGORY, Peter, CISSP for Dummies, 2002, Wiley Publishing, Inc., pages 45-46. 


NEW QUESTION 49 
- (Topic 1) 
Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the Strong Star property is not being used) ? 


A. A subject is not allowed to read up. 

B. The property restriction can be escaped by temporarily downgrading a high level subject. 
C. A subject is not allowed to read down. 

D. It is restricted to confidentiality. 


Answer: C 


Explanation: 

It is not a property of Bell LaPadula model. The other answers are incorrect because: 

A subject is not allowed to read up is a property of the 'simple security rule’ of Bell LaPadula model. 

The property restriction can be escaped by temporarily downgrading a high level subject can be escaped by temporarily downgrading a high level subject or by 
identifying a set of trusted objects which are permitted to violate the property as long as it is not in the middle of an operation. 

It is restricted to confidentiality as it is a state machine model that enforces the confidentiality aspects of access control. 

Reference: Shon Harris AlO v3 , Chapter-5 : Security Models and Architecture , Page:279- 

282 


NEW QUESTION 54 
- (Topic 1) 
Which of the following was developed by the National Computer Security Center (NCSC) for the US Department of Defense ? 


A. TCSEC 
B. ITSEC 

C. DIACAP 
D. NIACAP 


Answer: A 


Explanation: 

The Answer TCSEC; The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications. 

Initially issued by the National Computer Security Center (NCSC) an arm of the National Security Agency in 1983 and then updated in 1985, TCSEC was replaced 
with the development of the Common Criteria international standard originally published in 2005. 

References: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 197-199. 

Wikepedia http://en.wikipedia.org/wiki/TCSEC 


NEW QUESTION 59 
- (Topic 1) 
In regards to information classification what is the main responsibility of information (data) owner? 


A. determining the data sensitivity or classification level 
B. running regular data backups 

C. audit the data users 

D. periodically check the validity and accuracy of the data 


Answer: A 


Explanation: 

Making the determination to decide what level of classification the information requires is the main responsibility of the data owner. 

The data owner within classification is a person from Management who has been entrusted with a data set that belong to the company. It could be for example the 
Chief Financial Officer (CFO) who has been entrusted with all financial date or it could be the Human Resource Director who has been entrusted with all Human 
Resource data. The information owner will decide what classification will be applied to the data based on Confidentiality, Integrity, Availability, Criticality, and 
Sensitivity of the data. 
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The Custodian is the technical person who will implement the proper classification on objects in accordance with the Data Owner. The custodian DOES NOT 
decide what classification to apply, it is the Data Owner who will dictate to the Custodian what is the classification to apply. 

NOTE: 

The term Data Owner is also used within Discretionary Access Control (DAC). Within DAC it means the person who has created an object. For example, if | create 
a file on my system then | am the owner of the file and | can decide who else could get access to the file. It is left to my discretion. Within DAC access is granted 
based solely on the Identity of the subject, this is why sometimes DAC is referred to as Identity Based Access Control. 

The other choices were not the best answer 

Running regular backups is the responsibility of custodian. Audit the data users is the responsibility of the auditors 

Periodically check the validity and accuracy of the data is not one of the data owner responsibility 

Reference(s) used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 14, Chapter 1: 
Security Management Practices. 


NEW QUESTION 63 
- (Topic 1) 
Which of the following forms of authentication would most likely apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier? 


A. Dynamic authentication 
B. Continuous authentication 
C. Encrypted authentication 
D. Robust authentication 


Answer: B 


Explanation: 

Continuous authentication is a type of authentication that provides protection against impostors who can see, alter, and insert information passed between the 
claimant and verifier even after the claimant/verifier authentication is complete. These are typically referred to as active attacks, since they assume that the 
imposter can actively influence the connection between claimant and verifier. One way to provide this form of authentication is to apply a digital signature algorithm 
to every bit of data that is sent from the claimant to the verifier. There are other combinations of cryptography that can provide this form of authentication but 
current strategies rely on applying some type of cryptography to every bit 

of data sent. Otherwise, any unprotected bit would be suspect. Robust authentication relies on dynamic authentication data that changes with each authenticated 
session between a claimant and a verifier, but does not provide protection against active attacks. Encrypted authentication is a distracter. 

Source: GUTTMAN, Barbara & BAGWILL, Robert, NIST Special Publication 800-xx, Internet Security Policy: A Technical Guide, Draft Version, May 25, 2000 
(page 34). 


NEW QUESTION 64 
- (Topic 1) 
How would nonrepudiation be best classified as? 


A. A preventive control 

B. A logical control 

C. A corrective control 

D. A compensating control 


Answer: A 


Explanation: 

Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the 
mechanisms implemented in nonrepudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control. 

Source: STONEBURNER, Gary, NIST Special Publication 800-33: Underlying Technical Models for Information Technology Security, National Institute of 
Standards and Technology, December 2001, page 7. 


NEW QUESTION 68 

- (Topic 1) 

This baseline sets certain thresholds for specific errors or mistakes allowed and the amount of these occurrences that can take place before it is considered 
suspicious? 


A. Checkpoint level 
B. Ceiling level 

C. Clipping level 

D. Threshold level 


Answer: C 


Explanation: 

Organizations usually forgive a particular type, number, or pattern of violations, thus permitting a predetermined number of user errors before gathering this data 
for analysis. An organization attempting to track all violations, without sophisticated statistical computing ability, would be unable to manage the sheer quantity of 
such data. To make a violation listing effective, a clipping level must be established. 

The clipping level establishes a baseline for violation activities that may be normal user errors. Only after this baseline is exceeded is a violation record produced. 
This solution is particularly effective for small- to medium-sized installations. Organizations with large-scale computing facilities often track all violations and use 
statistical routines to cull out the minor infractions (e.g., forgetting a password or mistyping it several times). 

If the number of violations being tracked becomes unmanageable, the first step in correcting the problems should be to analyze why the condition has occurred. 
Do users understand how they are to interact with the computer resource? Are the rules too difficult to follow? Violation tracking and analysis can be valuable tools 
in assisting an organization to develop thorough but useable controls. Once these are in place and records are produced that accurately reflect serious violations, 
tracking and analysis become the first line of defense. With this procedure, intrusions are discovered before major damage occurs and sometimes early enough to 
catch the perpetrator. In addition, business protection and preservation are strengthened. 

The following answers are incorrect: 

All of the other choices presented were simply detractors. The following reference(s) were used for this question: 

Handbook of Information Security Management 
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NEW QUESTION 72 
- (Topic 1) 
In addition to the accuracy of the biometric systems, there are other factors that must also be considered: 


A. These factors include the enrollment time and the throughput rate, but not acceptability. 

B. These factors do not include the enrollment time, the throughput rate, and acceptability. 

C. These factors include the enrollment time, the throughput rate, and acceptability. 

D. These factors include the enrollment time, but not the throughput rate, neither the acceptability. 


Answer: C 


Explanation: 

In addition to the accuracy of the biometric systems, there are other factors that must also be considered. 

These factors include the enrollment time, the throughput rate, and acceptability. Enrollment time is the time it takes to initially "register" with a system by providing 
samples 

of the biometric characteristic to be evaluated. An acceptable enrollment time is around two 

minutes. 

For example, in fingerprint systems, the actual fingerprint is stored and requires approximately 250kb per finger for a high quality image. This level of information is 
required for one-to-many searches in forensics applications on very large databases. 

In finger-scan technology, a full fingerprint is not stored-the features extracted from this fingerprint are stored using a small template that requires approximately 
500 to 1000 bytes of storage. The original fingerprint cannot be reconstructed from this template. 

Updates of the enrollment information may be required because some biometric characteristics, such as voice and signature, may change with time. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37 & 
38. 


NEW QUESTION 74 
- (Topic 1) 
What is the primary role of smartcards in a PKI? 


A. Transparent renewal of user keys 

B. Easy distribution of the certificates between the users 

C. Fast hardware encryption of the raw data 

D. Tamper resistant, mobile storage and application of private keys of the users 


Answer: D 


Explanation: 

Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw- Hill/Osborne, page 139; 

SNYDER, J., What is a SMART CARD?. 

Wikipedia has a nice definition at: http://en.wikipedia.org/wiki/Tamper_resistance Security 

Tamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an 
attacker from 

retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the 
embedded software, which should contain the appropriate security measures. 

Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips used in smartcards, as well as the Clipper chip. 

It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including: 

physical attack of various forms (microprobing, drills, files, solvents, etc.) freezing the device 

applying out-of-spec voltages or power surges applying unusual clock signals 

inducing software errors using radiation 

measuring the precise time and power requirements of certain operations (see power analysis) 

Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or 
out-of- specification environmental parameters. A chip may even be rated for "cold zeroisation”, the ability to zeroise itself even after its power supply has been 
crippled. 

Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and perhaps obtain numerous other samples for testing and 
practice, means that it is practically impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important 
elements in protecting a system is overall system design. In particular, tamper-resistant systems should "fail gracefully" by ensuring that compromise of one device 
does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the expected return from 
compromising a single device (plus, perhaps, a little more for kudos). Since the most sophisticated attacks have been estimated to cost several hundred thousand 
dollars to carry out, carefully designed systems may be invulnerable in practice. 


NEW QUESTION 77 
- (Topic 1) 
Which of the following is an example of discretionary access control? 


A. ldentity-based access control 
B. Task-based access control 
C. Role-based access control 
D. Rule-based access control 


Answer: A 


Explanation: 

An identity-based access control is an example of discretionary access control that is based on an individual's identity. Identity-based access control (IBAC) is 
access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to 
specific objects are assigned based on user identity. 

Rule Based Access Control (RUBAC) and Role Based Access Control (RBAC) are 

examples of non-discretionary access controls. 

Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those 
rules will be, the rules are uniformly applied to ALL of the users or subjects. 

In general, all access control policies other than DAC are grouped in the category of non- discretionary access control (NDAC). As the name implies, policies in 
this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but 
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only through administrative action. 

Both Role Based Access Control (RBAC) and Rule Based Access Control (RUBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC 
then it is most likely NDAC. 

BELOW YOU HAVE A DESCRIPTION OF THE DIFFERENT CATEGORIES: 

MAC = Mandatory Access Control 

Under a mandatory access control environment, the system or security administrator will define what permissions subjects have on objects. The administrator does 
not dictate user??s access but simply configure the proper level of access as dictated by the Data Owner. 

The MAC system will look at the Security Clearance of the subject and compare it with the object sensitivity level or classification level. This is what is called the 
dominance relationship. 

The subject must DOMINATE the object sensitivity level. Which means that the subject must have a security clearance equal or higher than the object he is 
attempting to access. 

MAC also introduce the concept of labels. Every objects will have a label attached to them indicating the classification of the object as well as categories that are 
used to impose the need to know (NTK) principle. Even thou a user has a security clearance of Secret it does not mean he would be able to access any Secret 
documents within the system. He would be allowed to access only Secret document for which he has a Need To Know, formal approval, and object where the user 
belong to one of the categories attached to the object. 

If there is no clearance and no labels then IT IS NOT Mandatory Access Control. 

Many of the other models can mimic MAC but none of them have labels and a dominance 

relationship so they are NOT in the MAC category. 

DAC = Discretionary Access Control 

DAC is also known as: Identity Based access control system. 

The owner of an object is define as the person who created the object. As such the owner has the discretion to grant access to other users on the network. Access 
will be granted based solely on the identity of those users. 

Such system is good for low level of security. One of the major problem is the fact that a user who has access to someone's else file can further share the file with 
other users without the knowledge or permission of the owner of the file. Very quickly this could become the wild wild west as there is no control on the 
dissimination of the information. 

RBAC = Role Based Access Control 

RBAC is a form of Non-Discretionary access control. 

Role Based access control usually maps directly with the different types of jobs performed by employees within a company. 

For example there might be 5 security administrator within your company. Instead of creating each of their profile one by one, you would simply create a role and 
assign the administrators to the role. Once an administrator has been assigned to a role, he will IMPLICITLY inherit the permissions of that role. 

RBAC is great tool for environment where there is a a large rotation of employees on a daily basis such as a very large help desk for example. 

RBAC or RuBAC = Rule Based Access Control RuBAC is a form of Non-Discretionary access control. 

A good example of a Rule Based access control device would be a Firewall. A single set of rules is imposed to all users attempting to connect through the firewall. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the 

Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33. and 

NISTIR-7316 at http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf and 

http://itlaw.wikia.com/wiki/Identity-based_access_control 


NEW QUESTION 82 

- (Topic 1) 

Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If the system's sensitivity is increased, such 
as in a biometric authentication system, the system becomes increasingly selective and has the possibility of generating: 


A. Lower False Rejection Rate (FRR) 
B. Higher False Rejection Rate (FRR) 
C. Higher False Acceptance Rate (FAR) 
D. It will not affect either FAR or FRR 


Answer: B 


Explanation: 

Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If the system's sensitivity is increased, such 
as in a biometric authentication system, the system becomes increasingly selective and has a higher False Rejection Rate (FRR). 

Conversely, if the sensitivity is decreased, the False Acceptance Rate (FRR) will increase. Thus, to have a valid measure of the system performance, the Cross 
Over Error (CER) rate is used. The Crossover Error Rate (CER) is the point at which the false rejection rates and the false acceptance rates are equal. The lower 
the value of the CER, the more accurate the system. 

There are three categories of biometric accuracy measurement (all represented as percentages): 

False Reject Rate (a Type | Error): When authorized users are falsely rejected as unidentified or unverified. 

False Accept Rate (a Type II Error): When unauthorized persons or imposters are falsely accepted as authentic. 

Crossover Error Rate (CER): The point at which the false rejection rates and the false acceptance rates are equal. The smaller the value of the CER, the more 
accurate the system. 

NOTE: 

Within the ISC2 book they make use of the term Accept or Acceptance and also Reject or Rejection when referring to the type of errors within biometrics. Below 
we make use of Acceptance and Rejection throughout the text for conistency. However, on the real exam you could see either of the terms. 

Performance of biometrics 

Different metrics can be used to rate the performance of a biometric factor, solution or application. The most common performance metrics are the False 
Acceptance Rate FAR and the False Rejection Rate FRR. 

When using a biometric application for the first time the user needs to enroll to the system. The system requests fingerprints, a voice recording or another biometric 
factor from the 

operator, this input is registered in the database as a template which is linked internally to a user ID. The next time when the user wants to authenticate or identify 
himself, the biometric input provided by the user is compared to the template(s) in the database by a matching algorithm which responds with acceptance (match) 
or rejection (no match). 

FAR and FRR 

The FAR or False Acceptance rate is the probability that the system incorrectly authorizes a non-authorized person, due to incorrectly matching the biometric input 
with a valid template. The FAR is normally expressed as a percentage, following the FAR definition this is the percentage of invalid inputs which are incorrectly 
accepted. 

The FRR or False Rejection Rate is the probability that the system incorrectly rejects access to an authorized person, due to failing to match the biometric input 
provided by the user with a stored template. The FRR is normally expressed as a percentage, following the FRR definition this is the percentage of valid inputs 
which are incorrectly rejected. 

FAR and FRR are very much dependent on the biometric factor that is used and on the technical implementation of the biometric solution. Furthermore the FRR is 
strongly person dependent, a personal FRR can be determined for each individual. 

Take this into account when determining the FRR of a biometric solution, one person is insufficient to establish an overall FRR for a solution. Also FRR might 
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increase due to environmental conditions or incorrect use, for example when using dirty fingers on a fingerprint reader. Mostly the FRR lowers when a user gains 
more experience in how to use the biometric device or software. 

FAR and FRR are key metrics for biometric solutions, some biometric devices or software even allow to tune them so that the system more quickly matches or 
rejects. Both FRR and FAR are important, but for most applications one of them is considered most important. Two examples to illustrate this: 

When biometrics are used for logical or physical access control, the objective of the application is to disallow access to unauthorized individuals under all 
circumstances. It is clear that a very low FAR is needed for such an application, even if it comes at the price of a higher FRR. 

When surveillance cameras are used to screen a crowd of people for missing children, the objective of the application is to identify any missing children that come 
up on the screen. When the identification of those children is automated using a face recognition software, this software has to be set up with a low FRR. As such 
a higher number of matches will be false positives, but these can be reviewed quickly by surveillance personnel. 

False Acceptance Rate is also called False Match Rate, and False Rejection Rate is sometimes referred to as False Non-Match Rate. 

crossover error rate 


Sensitivity 


crossover error rate 

Above see a graphical representation of FAR and FRR errors on a graph, indicating the CER 

CER 

The Crossover Error Rate or CER is illustrated on the graph above. It is the rate where both FAR and FRR are equal. 

The matching algorithm in a biometric software or device uses a (configurable) threshold which determines how close to a template the input must be for it to be 
considered a match. This threshold value is in some cases referred to as sensitivity, it is marked on the X axis of the plot. When you reduce this threshold there will 
be more false acceptance errors (higher FAR) and less false rejection errors (lower FRR), a higher threshold will lead to lower FAR and higher FRR. 

Speed 

Most manufacturers of biometric devices and softwares can give clear numbers on the time it takes to enroll as well on the time for an individual to be 
authenticated or identified using their application. If speed is important then take your time to consider this, 5 seconds might seem a short time on paper or when 
testing a device but if hundreds of people will use the device multiple times a day the cumulative loss of time might be significant. 

Reference(s) used for this question: 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third 

Edition ((ISC)2 Press) (Kindle Locations 2723-2731). Auerbach Publications. Kindle Edition. 

and 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37. 

and 

http :/Awww.biometric-solutions.com/index.php?story=performance_biometrics 


NEW QUESTION 85 
- (Topic 1) 
What are the components of an object's sensitivity label? 


A. A Classification Set and a single Compartment. 
B. A single classification and a single compartment. 
C. A Classification Set and user credentials. 

D. A single classification and a Compartment Set. 


Answer: D 


Explanation: 

Both are the components of a sensitivity label. The following are incorrect: 

A Classification Set and a single Compartment. Is incorrect because the nomenclature "Classification Set” is incorrect, there only one classifcation and it is not a 
"single compartment” but a Compartment Set. 

A single classification and a single compartment. Is incorrect because while there only is one classifcation, it is not a "single compartment" but a Compartment Set. 
A Classification Set and user credentials. Is incorrect because the nomenclature "Classification Set" is incorrect, there only one classifcation and it is not "user 
credential” but a Compartment Set. The user would have their own sensitivity label. 


NEW QUESTION 87 
- (Topic 1) 
Which of the following is the WEAKEST authentication mechanism? 


A. Passphrases 

B. Passwords 

C. One-time passwords 
D. Token devices 


Answer: B 


Explanation: 

Most of the time users usually choose passwords which can be guessed , hence passwords is the BEST answer out of the choices listed above. 
The following answers are incorrect because : 

Passphrases is incorrect as it is more secure than a password because it is longer. 

One-time passwords is incorrect as the name states , it is good for only once and cannot be reused. 

Token devices is incorrect as this is also a password generator and is an one time 
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password mechanism. 
Reference : Shon Harris AlO v3 , Chapter-4 : Access Control , Page : 139 , 142. 


NEW QUESTION 88 
- (Topic 1) 
Which type of control is concerned with avoiding occurrences of risks? 


A. Deterrent controls 

B. Detective controls 

C. Preventive controls 

D. Compensating controls 


Answer: C 


Explanation: 

Preventive controls are concerned with avoiding occurrences of risks while deterrent controls are concerned with discouraging violations. Detecting controls 
identify occurrences and compensating controls are alternative controls, used to compensate weaknesses in other controls. Supervision is an example of 
compensating control. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 


NEW QUESTION 92 
- (Topic 1) 
Which of the following remote access authentication systems is the most robust? 


A. TACACS+ 
B. RADIUS 
C. PAP 

D. TACACS 


Answer: A 


Explanation: 

TACACS+ is a proprietary Cisco enhancement to TACACS and is more robust than RADIUS. PAP is not a remote access authentication system but a remote 
node security protocol. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: 
Telecommunications and Network Security (page 122). 


NEW QUESTION 95 
- (Topic 1) 
What is called a sequence of characters that is usually longer than the allotted number for a password? 


A. passphrase 

B. cognitive phrase 
C. anticipated phrase 
D. Real phrase 


Answer: A 


Explanation: 
A passphrase is a sequence of characters that is usually longer than the allotted number for a password. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, page 37. 


NEW QUESTION 99 
- (Topic 1) 
Which of the following is not a logical control when implementing logical access security? 


A. access profiles. 

B. userids. 

C. employee badges. 
D. passwords. 


Answer: C 


Explanation: 

Employee badges are considered Physical so would not be a logical control. The following answers are incorrect: 

userids. Is incorrect because userids are a type of logical control. 

access profiles. Is incorrect because access profiles are a type of logical control. passwords. Is incorrect because passwords are a type of logical control. 


NEW QUESTION 100 
- (Topic 1) 
Which division of the Orange Book deals with discretionary protection (need-to-know)? 


COM> 
rwond 


Answer: B 
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Explanation: 
C deals with discretionary protection. See matric below: 


TNUTCSEC MATRIX 
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TCSEC Matric 

The following are incorrect answers: 

D is incorrect. D deals with minimal security. 


B is incorrect. B deals with mandatory protection. A is incorrect. A deals with verified protection. Reference(s) used for this question: 


CBK, p. 329 ?C 330 
and 
Shon Harris, CISSP All In One (AIO), 6th Edition , page 392-393 


NEW QUESTION 104 
- (Topic 1) 


This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access 


than what is required for the tasks the user needs to fulfill. What best describes this scenario? 


A. Excessive Rights 

B. Excessive Access 

C. Excessive Permissions 
D. Excessive Privileges 


Answer: D 


Explanation: 


Even thou all 4 terms are very close to each other, the best choice is Excessive Privileges which would include the other three choices presented. 


Reference(s) used for this question: 


HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 645. 


and 


NEW QUESTION 108 
- (Topic 1) 
What does the simple integrity axiom mean in the Biba model? 


A. No write down 
B. No read down 
C. No read up 

D. No write up 
Answer: B 


Explanation: 


The simple integrity axiom of the Biba access control model states that a subject at one level of integrity is not permitted to observe an object of a lower integrity 


(no read down). 


Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: 


Security Architectures and Models (page 205). 


NEW QUESTION 111 
- (Topic 1) 
What physical characteristic does a retinal scan biometric device measure? 


A. The amount of light reaching the retina 
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B. The amount of light reflected by the retina 
C. The pattern of light receptors at the back of the eye 
D. The pattern of blood vessels at the back of the eye 


Answer: D 


Explanation: 

The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light and transmits impulses through the optic nerve to the 
brain - the equivalent of film in a camera. Blood vessels used for biometric identification are located along the neural retina, the outermost of retina’s four cell 
layers. 

The following answers are incorrect: 

The amount of light reaching the retina The amount of light reaching the retina is not used in the biometric scan of the retina. 

The amount of light reflected by the retina The amount of light reflected by the retina is not used in the biometric scan of the retina. 

The pattern of light receptors at the back of the eye This is a distractor The following reference(s) were/was used to create this question: Reference: Retina Scan 
Technology. 

ISC2 Official Guide to the CBK, 2007 (Page 161) 


NEW QUESTION 116 
- (Topic 1) 
Which of the following access control models requires defining classification for objects? 


A. Role-based access control 

B. Discretionary access control 
C. Identity-based access control 
D. Mandatory access control 


Answer: D 


Explanation: 

With mandatory access control (MAC), the authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance, and 
classification of objects. 

The Following answers were incorrect: 

Identity-based Access Control is a type of Discretionary Access Control (DAC), they are synonymous. 

Role Based Access Control (RBAC) and Rule Based Access Control (RUBAC or RBAC) are types of Non Discretionary Access Control (NDAC). 

Tip: 

When you have two answers that are synonymous they are not the right choice for sure. 

There is only one access control model that makes use of Label, Clearances, and Categories, it is Mandatory Access Control, none of the other one makes use of 
those items. 

Reference(s) used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access 
control systems (page 33). 


NEW QUESTION 117 

- (Topic 1) 

Which of the following can be defined as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, 
challenge-response, and arbitrary dialog sequences? 


A. Extensible Authentication Protocol 

B. Challenge Handshake Authentication Protocol 
C. Remote Authentication Dial-In User Service 
D. Multilevel Authentication Protocol. 


Answer: A 


Explanation: 

RFC 2828 (Internet Security Glossary) defines the Extensible Authentication Protocol as a framework that supports multiple, optional authentication mechanisms 
for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences. It is intended for use primarily by a host or router that connects to a 
PPP network server via switched circuits or dial-up lines. The Remote Authentication Dial-In User Service (RADIUS) is defined as an Internet protocol for carrying 
dial-in user's authentication information and configuration information between a shared, centralized authentication server and a network access server that needs 
to authenticate the users of its network access ports. The other option is a distracter. 

Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000. 


NEW QUESTION 119 
- (Topic 1) 
Kerberos is vulnerable to replay in which of the following circumstances? 


A. When a private key is compromised within an allotted time window. 
B. When a public key is compromised within an allotted time window. 
C. When a ticket is compromised within an allotted time window. 

D. When the KSD is compromised within an allotted time window. 


Answer: C 


Explanation: 

Replay can be accomplished on Kerberos if the compromised tickets are 

used within an allotted time window. 

The security depends on careful implementation:enforcing limited lifetimes for authentication credentials minimizes the threat of of replayed credentials, the KDC 
must be physically secured, and it should be hardened, not permitting any non-kerberos activities. 

Reference: 

Official ISC2 Guide to the CISSP, 2007 Edition, page 184 also see: 
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KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 42. 


NEW QUESTION 121 
- (Topic 1) 
What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system? 


A. False Rejection Rate (FRR) or Type | Error 

B. False Acceptance Rate (FAR) or Type II Error 
C. Crossover Error Rate (CER) 

D. True Rejection Rate (TRR) or Type III Error 


Answer: A 


Explanation: 
The percentage of valid subjects that are falsely rejected is called the False Rejection Rate (FRR) or Type | Error. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38. 


NEW QUESTION 125 
- (Topic 1) 
Which of the following is not a preventive login control? 


A. Last login message 

B. Password aging 

C. Minimum password length 
D. Account expiration 


Answer: A 


Explanation: 

The last login message displays the last login date and time, allowing a user to discover if their account was used by someone else. Hence, this is rather a 
detective control. 

Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 63). 


NEW QUESTION 126 

- (Topic 1) 

The throughput rate is the rate at which individuals, once enrolled, can be processed and 
identified or authenticated by a biometric system. Acceptable throughput rates are in the range of: 


A. 100 subjects per minute. 
B. 25 subjects per minute. 
C. 10 subjects per minute. 
D. 50 subjects per minute. 


Answer: C 


Explanation: 

The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. 

Acceptable throughput rates are in the range of 10 subjects per minute. 

Things that may impact the throughput rate for some types of biometric systems may include: 

A concern with retina scanning systems may be the exchange of body fluids on the eyepiece. 

Another concern would be the retinal pattern that could reveal changes in a person's health, such as diabetes or high blood pressure. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38. 


NEW QUESTION 127 
- (Topic 1) 
Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished: 


A. through access control mechanisms that require identification and authentication and through the audit function. 

B. through logical or technical controls involving the restriction of access to systems and the protection of information. 

C. through logical or technical controls but not involving the restriction of access to systems and the protection of information. 

D. through access control mechanisms that do not require identification and authentication and do not operate through the audit function. 


Answer: A 


Explanation: 

Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms 
that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization's 
security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33. 


NEW QUESTION 132 
- (Topic 1) 
Examples of types of physical access controls include all EXCEPT which of the following? 


A. badges 

B. locks 

C. guards 

D. passwords 
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Answer: D 


Explanation: 

Passwords are considered a Preventive/Technical (logical) control. The following answers are incorrect: 

badges Badges are a physical control used to identify an individual. A badge can include a smart device which can be used for authentication and thus a Technical 
control, but the actual badge itself is primarily a physical control. 

locks Locks are a Preventative Physical control and has no Technical association. guards Guards are a Preventative Physical control and has no Technical 
association. 

The following reference(s) were/was used to create this question: 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: 
Access control systems (page 35). 


NEW QUESTION 133 
- (Topic 1) 
Which of the following is NOT an advantage that TACACS+ has over TACACS? 


A. Event logging 

B. Use of two-factor password authentication 

C. User has the ability to change his password 

D. Ability for security tokens to be resynchronized 


Answer: A 


Explanation: 

Although TACACS+ provides better audit trails, event logging is a service that is provided with TACACS. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: 
Telecommunications and Network Security (page 121). 


NEW QUESTION 136 
- (Topic 1) 
Which of the following is NOT true of the Kerberos protocol? 


A. Only a single login is required per session. 

B. The initial authentication steps are done using public key algorithm. 

C. The KDC is aware of all systems in the network and is trusted by all of them 
D. It performs mutual authentication 


Answer: B 


Explanation: 

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has 
the following characteristics: 

It is secure: it never sends a password unless it is encrypted. 

Only a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins. 

The concept depends on a trusted third party ?C a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them. 

It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client. 

Kerberos introduces the concept of a Ticket-Granting Server/Service (TGS). A client that wishes to use a service has to receive a ticket from the TGS ?C a ticket is 
a time-limited 

cryptographic message ?C giving it access to the server. Kerberos also requires an Authentication Server (AS) to verify clients. The two servers combined make 
up a KDC. 

Within the Windows environment, Active Directory performs the functions of the KDC. The following figure shows the sequence of events required for a client to 
gain access to a service using Kerberos authentication. Each step is shown with the Kerberos message associated with it, as defined in RFC 4120 ??The 
Kerberos Network Authorization Service (V5)??. 
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C:\Users\MCS\Desktop\1.jog Kerberos Authentication Step by Step 

Step 1: The user logs on to the workstation and requests service on the host. The workstation sends a message to the Authorization Server requesting a ticket 
granting ticket (TGT). 

Step 2: The Authorization Server verifies the user??s access rights in the user database and creates a TGT and session key. The Authorization Sever encrypts the 
results using a key derived from the user??s password and sends a message back to the user workstation. 

The workstation prompts the user for a password and uses the password to decrypt the incoming message. When decryption succeeds, the user will be able to 
use the TGT to request a service ticket. 
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Step 3: When the user wants access to a service, the workstation client application sends a request to the Ticket Granting Service containing the client name, 
realm name and a timestamp. The user proves his identity by sending an authenticator encrypted with the session key received in Step 2. 

Step 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the requested server. The ticket contains the client name and 
optionally the client IP address. It also contains the realm name and ticket lifespan. The TGS returns the ticket to the user workstation. The returned message 
contains two copies of a server session key 

?C one encrypted with the client password, and one encrypted by the service password. 

Step 5: The client application now sends a service request to the server containing the ticket received in Step 4 and an authenticator. The service authenticates the 
request by decrypting the session key. The server verifies that the ticket and authenticator match, and then grants access to the service. This step as described 
does not include the authorization performed by the Intel AMT device, as described later. 

Step 6: If mutual authentication is required, then the server will reply with a server authentication message. 

The Kerberos server knows "secrets" (encrypted passwords) for all clients and servers under its control, or it is in contact with other secure servers that have this 
information. These "secrets" are used to encrypt all of the messages shown in the figure above. 

To prevent "replay attacks," Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server 
need to be in synch as much as possible. In other words, both computers need to be set to the same time and date. Since the clocks of two computers are often 
out of synch, administrators can establish a policy to establish the maximum acceptable difference to Kerberos between a client's clock and server's clock. If the 
difference between a client's clock and the server's clock is less than the maximum time difference specified in this policy, any timestamp used in a session 
between the two computers will be considered authentic. The maximum difference is usually set to five minutes. 

Note that if a client application wishes to use a service that is "Kerberized" (the service is configured to perform Kerberos authentication), the client must also be 
Kerberized so that it expects to support the necessary message responses. 

For more information about Kerberos, see http://web.mit.edu/kerberos/www/. 

References: 

Introduction to Kerberos Authentication from Intel 

and 

http://www.zeroshell.net/eng/kerberos/Kerberos-definitions/#1.3.5.3 and 

http://www. ietf.org/rfc/ric4120.txt 


NEW QUESTION 137 
- (Topic 1) 
What is Kerberos? 


A. A three-headed dog from the egyptian mythology. 
B. A trusted third-party authentication protocol. 

C. A security model. 

D. A remote authentication dial in user server. 


Answer: B 


Explanation: 

Is correct because that is exactly what Kerberos is. The following answers are incorrect: 

A three-headed dog from Egyptian mythology. Is incorrect because we are dealing with Information Security and not the Egyptian mythology but the Greek 
Mythology. 

A security model. Is incorrect because Kerberos is an authentication protocol and not just a security model. 

A remote authentication dial in user server. Is incorrect because Kerberos is not a remote authentication dial in user server that would be called RADIUS. 


NEW QUESTION 141 
- (Topic 1) 
Which one of the following factors is NOT one on which Authentication is based? 


A. Type 1. Something you know, such as a PIN or password 

B. Type 2. Something you have, such as an ATM card or smart card 

C. Type 3. Something you are (based upon one or more intrinsic physical or behavioral traits), such as a fingerprint or retina scan 
D. Type 4. Something you are, such as a system administrator or security administrator 


Answer: D 


Explanation: 

Authentication is based on the following three factor types: 

Type 1. Something you know, such as a PIN or password 

Type 2. Something you have, such as an ATM card or smart card 

Type 3. Something you are (Unique physical characteristic), such as a fingerprint or retina scan 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. 
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 132-133). 


NEW QUESTION 146 
- (Topic 1) 
The "vulnerability of a facility" to damage or attack may be assessed by all of the following except: 


A. Inspection 

B. History of losses 
C. Security controls 
D. security budget 
Answer: D 
Explanation: 


Source: The CISSP Examination Textbook- Volume 2: Practice by S. Rao Vallabhaneni. 


NEW QUESTION 147 
- (Topic 1) 
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Which of the following statements pertaining to using Kerberos without any extension is false? 


A. A client can be impersonated by password-guessing. 
B. Kerberos is mostly a third-party authentication protocol. 
C. Kerberos uses public key cryptography. 

D. Kerberos provides robust authentication. 


Answer: C 


Explanation: 

Kerberos is a trusted, credential-based, third-party authentication protocol that uses symmetric (secret) key cryptography to provide robust authentication to clients 
accessing services on a network. 

Because a client's password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client. 
Here is a nice overview of HOW Kerberos is implement as described in RFC 4556: 

1. Introduction 

The Kerberos V5 protocol [RFC4120] involves use of a trusted third party known as the Key Distribution Center (KDC) to negotiate shared session keys between 
clients and services and provide mutual authentication between them. 

The corner-stones of Kerberos V5 are the Ticket and the Authenticator. A Ticket encapsulates a symmetric key (the ticket session key) in an envelope (a public 
message) intended for a specific service. The contents of the Ticket are encrypted with a symmetric key shared between the service principal and the issuing 
KDC. The encrypted part of the Ticket contains the client principal name, among other items. An Authenticator is a record that can be shown to have been recently 
generated using the ticket session key in the associated Ticket. The ticket session key is known by the client who requested the ticket. The contents of the 
Authenticator are encrypted with the associated ticket session key. The encrypted part of an Authenticator contains a timestamp and the client principal name, 
among other items. 

As shown in Figure 1, below, the Kerberos V5 protocol consists of the following message exchanges between the client and the KDC, and the client and the 
application service: 

The Authentication Service (AS) Exchange 

The client obtains an "initial" ticket from the Kerberos authentication server (AS), typically a Ticket Granting Ticket 

(TGT). The AS-REQ message and the AS-REP message are the request and the reply message, respectively, between the client and the 

AS. 

The Ticket Granting Service (TGS) Exchange 

The client subsequently uses the TGT to authenticate and request a service ticket for a particular service, from the Kerberos 

ticket-granting server (TGS). The TGS-REQ message and the TGS-REP message are the request and the reply message respectively between the client and the 
TGS. 

The Client/Server Authentication Protocol (AP) Exchange 

The client then makes a request with an AP-REQ message, consisting of a service ticket and an authenticator that certifies the 

client's possession of the ticket session key. The server may optionally reply with an AP-REP message. AP exchanges typically negotiate session-specific 
symmetric keys. 

Usually, the AS and TGS are integrated in a single device also known as the KDC. 
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Figure 1: The Message Exchanges in the Kerberos V5 Protocol 

In the AS exchange, the KDC reply contains the ticket session key, among other items, that is encrypted using a key (the AS reply key) shared between the client 
and the KDC. The AS reply key is typically derived from the client's password for human users. Therefore, for human users, the attack resistance strength of the 
Kerberos protocol is no stronger than the strength of their passwords. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: 
Access control systems (page 40). 

And 

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 147-151). 

and http://www.ietf.org/rfc/ric4556 .txt 


NEW QUESTION 151 
- (Topic 1) 
What is considered the most important type of error to avoid for a biometric access control system? 


A. Type | Error 
B. Type II Error 
C. Combined Error Rate 
D. Crossover Error Rate 


Answer: B 
Explanation: 
When a biometric system is used for access control, the most important error is the false accept or false acceptance rate, or Type Il error, where the system would 


accept an impostor. 
A Type | error is known as the false reject or false rejection rate and is not as important in the security context as a type II error rate. A type one is when a valid 
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company employee is rejected by the system and he cannot get access even thou it is a valid user. 

The Crossover Error Rate (CER) is the point at which the false rejection rate equals the false acceptance rate if your would create a graph of Type | and Type Il 
errors. The lower the CER the better the device would be. 

The Combined Error Rate is a distracter and does not exist. 

Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric 
Identification (page 10). 


NEW QUESTION 152 
- (Topic 1) 
Which of the following best ensures accountability of users for the actions taken within a system or domain? 


A. Identification 
B. Authentication 
C. Authorization 
D. Credentials 


Answer: B 


Explanation: 

Details: 

The only way to ensure accountability is if the subject is uniquely identified and authenticated. Identification alone does not provide proof the user is who they claim 
to be. After showing proper credentials, a user is authorized access to resources. 

References: 

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 126). 


NEW QUESTION 156 
- (Topic 1) 
What is called the act of a user professing an identity to a system, usually in the form of a log-on ID? 


A. Authentication 
B. Identification 
C. Authorization 
D. Confidentiality 


Answer: B 


Explanation: 

Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. 

Identification is nothing more than claiming you are somebody. You identify yourself when you speak to someone on the phone that you don??t know, and they 
ask you who they??re speaking to. When you say, ??1??m Jason.??, you? ?ve just identified yourself. 

In the information security world, this is analogous to entering a username. It??s not analogous to entering a password. Entering a password is a method for 
verifying that you are who you identified yourself as. 

NOTE: The word "professing" used above means: "to say that you are, do, or feel something when other people doubt what you say". This is exactly what happen 
when you provide your identifier (identification), you claim to be someone but the system cannot take your word for it, you must further Authenticate to the system 
to prove who you claim to be. 

The following are incorrect answers: 

Authentication: is how one proves that they are who they say they are. When you claim to be Jane Smith by logging into a computer system as ??jsmith??, it??s 
most likely going to ask you for a password. You??ve claimed to be that person by entering the name into the username field (that??s the identification part), but 
now you have to prove that you are really that person. 

Many systems use a password for this, which is based on ??something you know??, i.e. a secret between you and the system. 

Another form of authentication is presenting something you have, such as a driver??s license, an RSA token, or a smart card. 

You can also authenticate via something you are. This is the foundation for biometrics. When you do this, you first identify yourself and then submit a thumb print, 
a retina scan, or another form of bio-based authentication. 

Once you??ve successfully authenticated, you have now done two things: you??ve claimed to be someone, and you??ve proven that you are that person. The 
only thing that??s left is for the 

system to determine what you??re allowed to do. 

Authorization: is what takes place after a person has been both identified and authenticated; it??s the step determines what a person can then do on the system. 
An example in people terms would be someone knocking on your door at night. You say, ??Who is it???, and wait for a response. They say, ??It??s John.?? in 
order to identify themselves. You ask them to back up into the light so you can see them through the peephole. They do so, and you authenticate them based on 
what they look like (biometric). At that point you decide they can come inside the house. 

If they had said they were someone you didn??t want in your house (identification), and you then verified that it was that person (authentication), the authorization 
phase would not include access to the inside of the house. 

Confidentiality: Is one part of the CIA triad. It prevents sensitive information from reaching the wrong people, while making sure that the right people can in fact get 
it. A good example is a credit card number while shopping online, the merchant needs it to clear the transaction but you do not want your informaiton exposed over 
the network, you would use a secure link such as SSL, TLS, or some tunneling tool to protect the information from prying eyes between point A and point B. Data 
encryption is a common method of ensuring confidentiality. 

The other parts of the CIA triad are listed below: 

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must 
be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). In addition, some means must be in place to 
detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. If an unexpected 
change occurs, a backup copy must be available to restore the affected data to its correct state. 

Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed, providing a certain measure of 
redundancy and failover, providing adequate communications bandwidth and preventing the occurrence of bottlenecks, implementing emergency backup power 
systems, keeping current with all necessary system upgrades, and guarding against malicious actions such as denial-of- service (DoS) attacks. 

Reference used for this question: 

http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-ClA http://www.danielmiessler.com/blog/security-identification-authentication-and- 
authorization http:/Awww.merriam-webster.com/dictionary/profess 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. 


NEW QUESTION 161 
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- (Topic 1) 
In Mandatory Access Control, sensitivity labels attached to object contain what information? 


A. The item's classification 

B. The item's classification and category set 
C. The item's category 

D. The items's need to know 


Answer: B 


Explanation: 

A Sensitivity label must contain at least one classification and one category set. 

Category set and Compartment set are synonyms, they mean the same thing. The sensitivity label must contain at least one Classification and at least one 
Category. It is common in some environments for a single item to belong to multiple categories. The list of all the categories to which an item belongs is called a 
compartment set or category set. 

The following answers are incorrect: 

the item's classification. Is incorrect because you need a category set as well. 

the item's category. Is incorrect because category set and classification would be both be required. 

The item's need to know. Is incorrect because there is no such thing. The need to know is indicated by the catergories the object belongs to. This is NOT the best 
answer. 

Reference(s) used for this question: 

OIG CBK, Access Control (pages 186 - 188) 

AIO, 3rd Edition, Access Control (pages 162 - 163) AIO, 4th Edittion, Access Control, pp 212-214. 

Wikipedia - http://en.wikipedia.org/wiki/Mandatory_Access_Control 


NEW QUESTION 164 
- (Topic 1) 
What is the Biba security model concerned with? 


A. Confidentiality 
B. Reliability 

C. Availability 

D. Integrity 


Answer: D 


Explanation: 

The Biba security model addresses the integrity of data being threatened when subjects at lower security levels are able to write to objects at higher security 
levels and when subjects can read data at lower levels. 

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (Page 244). 


NEW QUESTION 167 
- (Topic 1) 
Which access model is most appropriate for companies with a high employee turnover? 


A. Role-based access control 
B. Mandatory access control 

C. Lattice-based access control 
D. Discretionary access control 


Answer: A 


Explanation: 

The underlying problem for a company with a lot of turnover is assuring that new employees are assigned the correct access permissions and that those 
permissions are removed when they leave the company. 

Selecting the best answer requires one to think about the access control options in the context of a company with a lot of flux in the employee population. RBAC 
simplifies the task of assigning permissions because the permissions are assigned to roles which do not change based on who belongs to them. As employees join 
the company, it is simply a matter of assigning them to the appropriate roles and their permissions derive from their assigned role. They will implicitely inherit the 
permissions of the role or roles they have been assigned to. When they leave the company or change jobs, their role assignment is revoked/changed 
appropriately. 

Mandatory access control is incorrect. While controlling access based on the clearence level of employees and the sensitivity of obects is a better choice than 
some of the other incorrect answers, it is not the best choice when RBAC is an option and you are looking for the best solution for a high number of employees 
constantly leaving or joining the company. 

Lattice-based access control is incorrect. The lattice is really a mathematical concept that is used in formally modeling information flow (Bell-Lapadula, Biba, etc). 
In the context of the question, an abstract model of information flow is not an appropriate choice. CBK, pp. 324- 325. 

Discretionary access control is incorrect. When an employee joins or leaves the company, the object owner must grant or revoke access for that employee on all 
the objects they own. Problems would also arise when the owner of an object leaves the company. The complexity of assuring that the permissions are added and 
removed correctly makes this the least desirable solution in this situation. 

References 

Alll in One, third edition page 165 

RBAC is discussed on pp. 189 through 191 of the ISC(2) guide. 


NEW QUESTION 170 
- (Topic 1) 
Which TCSEC level is labeled Controlled Access Protection? 
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Answer: B 


Explanation: 

C2 is labeled Controlled Access Protection. 

The TCSEC defines four divisions: D, C, B and A where division A has the highest security. Each division represents a significant difference in the trust an 
individual or organization 

can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and 
Al. 

Each division and class expands or modifies as indicated the requirements of the immediately prior division or class. 

D ?? Minimal protection 

Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher division 

C ?? Discretionary protection 

C1 ?? Discretionary Security Protection Identification and authentication Separation of users and data 

Discretionary Access Control (DAC) capable of enforcing access limitations on an individual basis 

Required System Documentation and user manuals C2 ?? Controlled Access Protection 

More finely grained DAC 

Individual accountability through login procedures Audit trails 

Object reuse Resource isolation 

B ?? Mandatory protection 

B1 ?? Labeled Security Protection 

Informal statement of the security policy model Data sensitivity labels 

Mandatory Access Control (MAC) over selected subjects and objects Label exportation capabilities 

All discovered flaws must be removed or otherwise mitigated Design specifications and verification 

B2 ?? Structured Protection 

Security policy model clearly defined and formally documented DAC and MAC enforcement extended to all subjects and objects 

Covert storage channels are analyzed for occurrence and bandwidth Carefully structured into protection-critical and non-protection-critical elements Design and 
implementation enable more comprehensive testing and review Authentication mechanisms are strengthened 

Trusted facility management is provided with administrator and operator segregation Strict configuration management controls are imposed 

B3 ?? Security Domains 

Satisfies reference monitor requirements 

Structured to exclude code not essential to security policy enforcement Significant system engineering directed toward minimizing complexity Security 
administrator role defined 

Audit security-relevant events 

Automated imminent intrusion detection, notification, and response Trusted system recovery procedures 

Covert timing channels are analyzed for occurrence and bandwidth 

An example of such a system is the XTS-300, a precursor to the XTS-400 A ?? Verified protection 

A1 ?? Verified Design Functionally identical to B3 

Formal design and verification techniques including a formal top-level specification Formal management and distribution procedures 

An example of such a system is Honeywell's Secure Communications Processor SCOMP, a precursor to the XTS-400 

Beyond A1 

System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the Trusted 
Computing Base (TCB). 

Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications. 

Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible. 
Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted (cleared) personnel. 

The following are incorrect answers: C1 is Discretionary security 

C3 does not exists, it is only a detractor 

B1 is called Labeled Security Protection. 

Reference(s) used for this question: 

HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999. 

and 

AlOv4 Security Architecture and Design (pages 357 - 361) AlOv5 Security Architecture and Design (pages 358 - 362) 


NEW QUESTION 171 
- (Topic 1) 
Which security model uses division of operations into different parts and requires different users to perform each part? 


A. Bell-LaPadula model 

B. Biba model 

C. Clark-Wilson model 

D. Non-interference model 


Answer: C 


Explanation: 

The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents 
authorized users from making unauthorized modifications to data, thereby protecting its integrity. 

The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. 

The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items ina 
system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to 
the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules. 

The model??s enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on 
the notion of a transaction. 

A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state. 

In this model the integrity policy addresses the integrity of the transactions. 

The principle of separation of duty requires that the certifier of a transaction and the implementer be different entities. 

The model contains a number of basic constructs that represent both data items and processes that operate on those data items. The key data type in the Clark- 
Wilson model is a Constrained Data Item (CDI). An Integrity Verification Procedure (IVP) ensures that all CDIs in the system are valid at a certain state. 
Transactions that enforce the integrity policy are represented by Transformation Procedures (TPs). A TP takes as input a CDI or Unconstrained Data Item (UDI) 
and produces a CDI. A TP must transition the system from one valid state to another valid state. UDIs represent system input (such as that provided by a user or 
adversary). A TP must guarantee (via certification) that it transforms all possible values of a UDI to a ??safe?? CDI. 

In general, preservation of data integrity has three goals: Prevent data modification by unauthorized parties 
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Prevent unauthorized data modification by authorized parties 

Maintain internal and external consistency (i.e. data reflects the real world) 

Clark-Wilson addresses all three rules but BIBA addresses only the first rule of intergrity. References: 

HARRIS, Shon, All-In-One CISSP Certification Fifth Edition, McGraw-Hill/Osborne, Chapter 5: Security Architecture and Design (Page 341-344). 
and 

http://en.wikipedia.org/wiki/Clark-Wilson_model 


NEW QUESTION 176 

- (Topic 1) 

In which of the following security models is the subject's clearance compared to the object's classification such that specific rules can be applied to control how the 
subject-to-object interactions take place? 


A. Bell-LaPadula model 
B. Biba model 

C. Access Matrix model 
D. Take-Grant model 


Answer: A 


Explanation: 

The Bell-LAPadula model is also called a multilevel security system because users with different clearances use the system and the system processes data with 
different classifications. Developed by the US Military in the 1970s. 

A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques necessary to enforce the 
security policy. A security model is usually represented in mathematics and analytical ideas, which are mapped to system specifications and then developed by 
programmers through programming code. So we have a policy that encompasses security goals, such as ??each subject must be authenticated and authorized 
before accessing an object.?? The security model takes this requirement and provides the necessary mathematical formulas, relationships, and logic structure to 
be followed to accomplish this goal. 

A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system 
processes data at different classification levels. The level at which information is classified determines the handling procedures that should be used. The Bell- 
LaPadula model is a state machine model that enforces the confidentiality aspects of access control. A matrix and security levels are used to determine if subjects 
can access different objects. The subject??s clearance is compared to the object??s classification and then specific rules are applied to control how subject-to- 
object subject-to-object interactions can take place. 

Reference(s) used for this question: 

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 369). McGraw- Hill. Kindle Edition. 


NEW QUESTION 177 
- (Topic 1) 
The Computer Security Policy Model the Orange Book is based on is which of the following? 


A. Bell-LaPadula 

B. Data Encryption Standard 
C. Kerberos 

D. Tempest 


Answer: A 


Explanation: 

The Computer Security Policy Model Orange Book is based is the Bell- LaPadula Model. Orange Book Glossary. 

The Data Encryption Standard (DES) is a cryptographic algorithm. National Information Security Glossary. 

TEMPEST is related to limiting the electromagnetic emanations from electronic equipment. Reference: U.S. Department of Defense, Trusted Computer System 
Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here). 


NEW QUESTION 179 
- (Topic 1) 
What are called user interfaces that limit the functions that can be selected by a user? 


A. Constrained user interfaces 
B. Limited user interfaces 

C. Mini user interfaces 

D. Unlimited user interfaces 


Answer: A 


Explanation: 

Constrained user interfaces limit the functions that can be selected by a user. 

Another method for controlling access is by restricting users to specific functions based on their role in the system. This is typically implemented by limiting 
available menus, data views, encryption, or by physically constraining the user interfaces. 

This is common on devices such as an automated teller machine (ATM). The advantage of a constrained user interface is that it limits potential avenues of attack 
and system failure by restricting the processing options that are available to the user. 

On an ATM machine, if a user does not have a checking account with the bank he or she will not be shown the ??Withdraw money from checking?? option. 
Likewise, an information system might have an ??Add/Remove Users?? menu option for administrators, but if a normal, non-administrative user logs in he or she 
will not even see that menu option. By not even identifying potential options for non-qualifying users, the system limits the potentially harmful execution of 
unauthorized system or application commands. 

Many database management systems have the concept of ??views.?? A database view is an extract of the data stored in the database that is filtered based on 
predefined user or system criteria. This permits multiple users to access the same database while only having the ability to access data they need (or are allowed 
to have) and not data for another user. The use of database views is another example of a constrained user interface. 

The following were incorrect answers: 

All of the other choices presented were bogus answers. 

The following reference(s) were used for this question: 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1989-2002). Auerbach 
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Publications. Kindle Edition. 


NEW QUESTION 181 
- (Topic 1) 
Which type of control is concerned with restoring controls? 


A. Compensating controls 
B. Corrective controls 

C. Detective controls 

D. Preventive controls 


Answer: B 


Explanation: 

Corrective controls are concerned with remedying circumstances and restoring controls. 

Detective controls are concerned with investigating what happen after the fact such as logs and video surveillance tapes for example. 
Compensating controls are alternative controls, used to compensate weaknesses in other controls. 

Preventive controls are concerned with avoiding occurrences of risks. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 


NEW QUESTION 183 
- (Topic 1) 
Which of the following is addressed by Kerberos? 


A. Confidentiality and Integrity 
B. Authentication and Availability 
C. Validation and Integrity 

D. Auditability and Integrity 


Answer: A 


Explanation: 

Kerberos addresses the confidentiality and integrity of information. It also addresses primarily authentication but does not directly address availability. 
Reference(s) used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 42. 
and https://www.ietf.org/rfc/ric4120.txt and 

http://learn-networking.com/network-security/now-kerberos-authentication-works 


NEW QUESTION 185 
- (Topic 1) 
How should a doorway of a manned facility with automatic locks be configured? 


A. It should be configured to be fail-secure. 
B. It should be configured to be fail-safe. 
C. It should have a door delay cipher lock. 
D. It should not allow piggybacking. 


Answer: B 


Explanation: 

Access controls are meant to protect facilities and computers as well as people. 

In some situations, the objectives of physical access controls and the protection of people's lives may come into conflict. In theses situations, a person's life always 
takes precedence. 

Many physical security controls make entry into and out of a facility hard, if not impossible. However, special consideration needs to be taken when this could 
affect lives. In an information processing facility, different types of locks can be used and piggybacking should be prevented, but the issue here with automatic 
locks is that they can either be configured as fail-safe or fail-secure. 

Since there should only be one access door to an information processing facility, the 

automatic lock to the only door to a man-operated room must be configured to allow people out in case of emergency, hence to be fail-safe (sometimes called fail- 
open), meaning that upon fire alarm activation or electric power failure, the locking device unlocks. This is because the solenoid that maintains power to the lock to 
keep it in a locked state fails and thus opens or unlocks the electronic lock. 

Fail Secure works just the other way. The lock device is in a locked or secure state with no power applied. Upon authorized entry, a solinoid unlocks the lock 
temporarily. Thus in a Fail Secure lock, loss of power of fire alarm activation causes the lock to remain in a secure mode. 

Reference(s) used for this question: 

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 451). McGraw- Hill. Kindle Edition. 

and 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20249-20251). Auerbach 
Publications. Kindle Edition. 


NEW QUESTION 186 

- (Topic 2) 

The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications 
for the system is referred to as? 


A. Confidentiality 
B. Availability 

C. Integrity 

D. Reliability 


Answer: B 
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Explanation: 

An company security program must: 

1) assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; 

2) protect informationcommensurate with the level of risk and magnitude ofharmresulting fromloss, misuse, unauthorized access, or modification. 

The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications 
for the system; i.e., a system is available if it provides services according to the system design whenever users request them. 

The following are incorrect answers: 

Confidentiality - The information requires protection from unauthorized disclosure and only the INTENDED recipient should have access to the meaning of the data 
either in storage or in transit. 

Integrity - The information must be protected from unauthorized, unanticipated, or unintentional modification. This includes, but is not limited to: 

Authenticity ?CA third party must be able to verify that the content of a message has not been changed in transit. 

Non-repudiation ?C The origin or the receipt of a specific message must be verifiable by a third party. 

Accountability - A security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. 

Reference used for this question: 

RFC 2828 

and 

SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (page 5). 


NEW QUESTION 188 
- (Topic 2) 
Which of the following is BEST defined as a physical control? 


A. Monitoring of system activity 

B. Fencing 

C. Identification and authentication methods 
D. Logical access control mechanisms 


Answer: B 


Explanation: 

Physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and 
lighting. 

The following answers are incorrect answers: 

Monitoring of system activity is considered to be administrative control. 

Identification and authentication methods are considered to be a technical control. Logical access control mechanisms is also considered to be a technical control. 
Reference(s) used for this question: 

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 1280-1282). McGraw-Hill. Kindle Edition. 


NEW QUESTION 191 
- (Topic 2) 
Which of the following should NOT be performed by an operator? 


A. Implementing the initial program load 
B. Monitoring execution of the system 
C. Data entry 

D. Controlling job flow 


Answer: C 


Explanation: 

Under the principle of separation of duties, an operator should not be performing data entry. This should be left to data entry personnel. 

System operators represent a class of users typically found in data center environments where mainframe systems are used. They provide day-to-day operations 
of the mainframe environment, ensuring that scheduled jobs are running effectively and troubleshooting problems that may arise. They also act as the arms and 
legs of the mainframe environment, load and unloading tape and results of job print runs. Operators have elevated privileges, but less than those of system 
administrators. If misused, these privileges may be used to circumvent the system??s security policy. As such, use of these 

privileges should be monitored through audit logs. 

Some of the privileges and responsibilities assigned to operators include: 

Implementing the initial program load: This is used to start the operating system. The boot process or initial program load of a system is a critical time for ensuring 
system security. Interruptions to this process may reduce the integrity of the system or cause the system to crash, precluding its availability. 

Monitoring execution of the system: Operators respond to various events, to include errors, interruptions, and job completion messages. 

Volume mounting: This allows the desired application access to the system and its data. Controlling job flow: Operators can initiate, pause, or terminate programs. 
This may allow 

an operator to affect the scheduling of jobs. Controlling job flow involves the manipulation 

of configuration information needed by the system. Operators with the ability to control a job or application can cause output to be altered or diverted, which can 
threaten the confidentiality. 

Bypass label processing: This allows the operator to bypass security label information to run foreign tapes (foreign tapes are those from a different data center that 
would not be using the same label format that the system could run). This privilege should be strictly controlled to prevent unauthorized access. 

Renaming and relabeling resources: This is sometimes necessary in the mainframe environment to allow programs to properly execute. Use of this privilege 
should be monitored, as it can allow the unauthorized viewing of sensitive information. 

Reassignment of ports and lines: Operators are allowed to reassign ports or lines. If misused, reassignment can cause program errors, such as sending sensitive 
output to an unsecured location. Furthermore, an incidental port may be opened, subjecting the system to an attack through the creation of a new entry point into 
the system. 

Reference(s) used for this question: 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 19367-19395). Auerbach 
Publications. Kindle Edition. 


NEW QUESTION 194 
- (Topic 2) 
Which software development model is actually a meta-model that incorporates a number of the software development models? 
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A. The Waterfall model 

B. The modified Waterfall model 
C. The Spiral model 

D. The Critical Path Model (CPM) 


Answer: C 


Explanation: 

The spiral model is actually a meta-model that incorporates a number of the software development models. This model depicts a spiral that incorporates the 
various phases of software development. The model states that each cycle of the spiral involves the same series of steps for each part of the project. CPM refers 
to the Critical Path Methodology. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: 
Applications and Systems Development (page 246). 


NEW QUESTION 198 

- (Topic 2) 

Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain 
access to unauthorized data? 


A. Limiting the local access of operations personnel 
B. Job rotation of operations personnel 

C. Management monitoring of audit logs 

D. Enforcing regular password changes 


Answer: A 


Explanation: 

The questions specifically said: "within a different function" which eliminate Job Rotation as a choice. 

Management monitoring of audit logs is a detective control and it would not prevent collusion. 

Changing passwords regularly would not prevent such attack. 

This question validates if you understand the concept of separation of duties and least privilege. By having operators that have only the minimum access level they 
need and only what they need to do their duties within a company, the operations personnel would be force to use collusion to defeat those security mechanism. 
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 


NEW QUESTION 199 
- (Topic 2) 
During which phase of an IT system life cycle are security requirements developed? 


A. Operation 

B. Initiation 

C. Functional design analysis and Planning 
D. Implementation 


Answer: C 


Explanation: 

The software development life cycle (SDLC) (sometimes referred to as the System Development Life Cycle) is the process of creating or altering software 
systems, and the models and methodologies that people use to develop these systems. 

The NIST SP 800-64 revision 2 has within the description section of para 3.2.1: 

This section addresses security considerations unique to the second SDLC phase. Key security activities for this phase include: 

e Conduct the risk assessment and use the results to supplement the baseline security controls; 

e Analyze security requirements; 

e Perform functional and security testing; 

e Prepare initial documents for system certification and accreditation; and 

e Design security architecture. 

Reviewing this publication you may want to pick development/acquisition. Although initiation would be a decent choice, it is correct to say during this phase you 
would only brainstorm the idea of security requirements. Once you start to develop and acquire hardware/software components then you would also develop the 
security controls for these. The Shon Harris reference below is correct as well. 

Shon Harris' Book (All-in-One CISSP Certification Exam Guide) divides the SDLC differently: 

Project initiation 

Functional design analysis and planning System design specifications 

Software development Installation Maintenance support 

Revision and replacement 

According to the author (Shon Harris), security requirements should be developed during the functional design analysis and planning phase. 

SDLC POSITIONING FROM NIST 800-64 
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FIGURE 2-1, POSITIONING SECURITY 
CONSIDERATIONS 


C:\Users\MCS\Desktop\1 .jog 

SDLC Positioning in the enterprise 

Information system security processes and activities provide valuable input into managing IT systems and their development, enabling risk identification, planning 
and mitigation. A risk management approach involves continually balancing the protection of agency information and assets with the cost of security controls and 
mitigation strategies throughout the complete information system development life cycle (see Figure 2-1 above). The most effective way to implement risk 
management is to identify critical assets and operations, as well as systemic vulnerabilities across the agency. Risks are shared and not bound by organization, 
revenue source, or topologies. Identification and verification of critical assets and operations and their interconnections can be achieved through the system 
security planning process, as well as through the compilation of information from the Capital Planning and Investment Control (CPIC) and Enterprise Architecture 
(EA) processes to establish insight into the agency??s vital business operations, their supporting assets, and existing interdependencies and relationships. 

With critical assets and operations identified, the organization can and should perform a business impact analysis (BIA). The purpose of the BIA is to relate 
systems and assets with the critical services they provide and assess the consequences of their disruption. By identifying these systems, an agency can manage 
security effectively by establishing priorities. This positions the security office to facilitate the IT program?’?s cost-effective performance as well as articulate its 
business impact and value to the agency. 

SDLC OVERVIEW FROM NIST 800-64 

SDLC Overview from NIST 800-64 Revision 2 


Initiation 
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NIST 800-64 Revision 2 is one publication within the NISTstandards that | would recommend you look at for more details about the SDLC. It describe in great 
details what activities would take place and they have a nice diagram for each of the phases of the SDLC. You will find a copy at: 
http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf DISCUSSION: 

Different sources present slightly different info as far as the phases names are concerned. 

People sometimes gets confused with some of the NIST standards. For example NIST 800-64 Security Considerations in the Information System Development 
Life Cycle has slightly different names, the activities mostly remains the same. 

NIST clearly specifies that Security requirements would be considered throughout ALL of the phases. The keyword here is considered, if a question is about which 
phase they would be developed than Functional Design Analysis would be the correct choice. 

Within the NIST standard they use different phase, howeverr under the second phase you will see that they talk specifically about Security Functional requirements 
analysis which confirms it is not at the initiation stage so it become easier to come out with the answer to this question. Here is what is stated: 

The security functional requirements analysis considers the system security environment, including the enterprise information security policy and the enterprise 
security architecture. The analysis should address all requirements for confidentiality, integrity, and availability of information, and should include a review of all 
legal, functional, and other security requirements contained in applicable laws, regulations, and guidance. 

At the initiation step you would NOT have enough detailed yet to produce the Security Requirements. You are mostly brainstorming on all of the issues listed but 
you do not develop them all at that stage. 

By considering security early in the information system development life cycle (SDLC), you may be able to avoid higher costs later on and develop a more secure 
system from the start. 

NIST says: 

NIST’s Information Technology Laboratory recently issued Special Publication (SP) 800- 64, Security Considerations in the Information System Development Life 
Cycle, by Tim Grance, Joan Hash, and Marc Stevens, to help organizations include security requirements in their planning for every phase of the system life cycle, 
and to select, acquire, and use appropriate and cost-effective security controls. 

| must admit this is all very tricky but reading skills and paying attention to KEY WORDS is a must for this exam. 

References: 

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, Fifth Edition, Page 956 

and 

NIST S-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64- 

Revision2.pdf and 

http :/Awww.mks.com/resources/resource-pages/software-development-life-cycle-sdlc- system-development 
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